As various forms of distributed computing, such as cloud computing, have come to dominate the computing landscape, modern computing has become a global endeavor. One difficulty encountered when computing on a global scale is the fact that different geographic and political regions have different rules and regulations, i.e., communications and data security policies, dictating the various types of secrets, security protocols, and security levels, such as encryption levels, that can be used to protect data within these different geographic and political regions.
As a specific illustrative example, the government of China allows only relatively low levels of encryption to be applied to data that is transferred to resources within China. In contrast, many European countries allow for a higher level of encryption to be applied to data that is transferred to resources within their territories. Consequently, an application, service, or system, desiring to transfer data between China and Europe must ensure that the level encryption used either in the communications channel itself, or to encrypt data in a message being sent via a communication channel, is encrypted at a level that is allowed both under Chinese communications and data security policy and European communications and data security policy.
Consequently, in a global computing environment, there is an added complexity of making sure that secure communications channels, and other secrets, used in, or deployed to, different geographic and political regions, are in compliance with the rules and regulations, i.e., the communications and data security policies, governing secure communications and the protection of data within the various geographic and political regions.
This situation, in and of itself, presents a level of complication that often interferes with the efficient processing and transferring of data required in modern computing environments, such as a cloud computing environment. However, the situation is further complicated and aggravated by the fact that there often exist different communications and data security zones, with distinct and different communications and data security policy requirements, within a given geographic or political region, and often within the same computing environment.
As an example, an application or service implemented in a cloud computing environment may, in some cases, be communicating with, or facilitating communication between, two resources, such as two virtual instances, that lie in different communications and data security zones within the same cloud computing environment or network, but are instantiated in the same geographic and political region. In this case, just as in the case of two resources communicating in different geographic or political regions, it must be confirmed that the communications and data security policies of both communications and data security zones are met.
As used herein, a given geographic, political, communications and data security zone, resource, and/or computing environment, having its own associated communications and data security policy is referred to as a communications jurisdiction zone. Consequently, as used herein, the term communications jurisdiction zone refers to both geographic and political zones as well as virtual communications and data security zones within various computing environments.
Given the situation described above, significant amounts of time and energy are currently devoted to ensuring that the communications and data security policies associated with various communications jurisdiction zones are met before communications channels are provided between two communications jurisdiction zones, and/or secrets are transferred between two communications jurisdiction zones. As noted, this often significantly interferes with the efficient and effective operation of various, and numerous, computing environments.
What is needed is a method and system to automatically determine the communications and data security policies associated with various communications jurisdiction zones and then, when communication is desired between two resources residing in two different communications jurisdiction zones, automatically determine the appropriate communications channels and secure communications security levels to deploy in order to provide the desired communication capability and remain in compliance with the communications and data security policies of the communications jurisdiction zones involved.